Hey
> If you are not running inside a Servlet, you use JNDI to authenticate,
> or if you're using IIOP there's SECIOP (don't ask me, I just learned
> of
> that).
No no no, you never ever use JNDI to authenticate EJB callers. It won't
work.
Simple example:
User A uses JNDI to lookup FooHome. He is indeed authenticated as A with
the JNDI service and is allowed access to FooHome.
A now uses FooHome to find some instance Bar. He calls Bar a few times.
Let's say, just for fun, that JNDI was indeed used to authenticate the
user. Bar hence thinks that it is being called by A, which it is.
A now hands the reference to Bar to user B. Since we have no way of
telling Bar that the user has changed - remember, we used JNDI to
authenticate - any calls that B makes to Bar will be with the A
identity. Which is incorrect.
There are a couple of more scenarios such as this, for example including
extensive use of Handle's, that shows that JNDI is not a good way to
authenticate EJB users.
What *is* a good way to do this is to use a thread-based scheme such as
JAAS. For now security authentication is proprietary, and is indeed the
by far biggest hole in the whole J2EE area, but once JAAS becomes used
this should clear up (I hope, fingers crossed).
/Rickard
--
Rickard �berg
@home: +46 13 177937
Email: [EMAIL PROTECTED]
http://www.dreambean.com
Question reality
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
